Blocking Web Proxies and VPNs

You can use the Smoothwall Filter and Firewall to block access to HTTPS proxy sites or prevent HTTPS proxy software like UltraSurf bypassing the Smoothwall Filter.

Web filters are becoming increasingly popular, and are used to restrict a user's internet access to certain types of content. This has led to the creation of numerous proxy websites and proxy software applications designed to bypass web filters such as Guardian.

UltraSurf is one example of an application that bypasses web filters to gain access to sites that would otherwise be blocked. When someone uses a proxy website or application to request content, the proxy will contact a server which will then retrieve the requested content before returning it to the user, typically through an HTTPS connection. Because HTTPS traffic is encrypted, the content can't be seen by web filters and therefore no policies can be applied to the content. As more and more proxies are created on a daily basis, each becoming more complex and more efficient at bypassing web filters, simply blocking access to these services using domain or URL filtering alone is not particularly efficient.

Filter

Make sure that all clients are going through a transparent proxy with HTTPS support enabled, see our help topic, Creating authentication policies. Note: This might cause issues for other software applications which do not have support for this type of setup.

The Web proxies category is blocked by default as it is part of Core Blocked Content web filter policy, see our help topic, Managing web filter policies. You should add a block policy if you do not have one for either Web proxies or Core Blocked Content.

Create an HTTPS inspection policy that validate the certificate, see our help topic, Creating HTTPS inspection policies. This ensures that any site visited must present a valid HTTPS certificate.

As an alternative, you can create an HTTPS inspection policy to Decrypt and inspect HTTPS requests through the web filter. However, this requires that the certificate used by the Filter is installed on each of the client machines, see our help topic, Managing HTTPS inspection settings.

Firewall

Additionally, you can control access to ports using a firewall. If you are using the Smoothwall Firewall, you do this on the Firewall rules page, see our help topic, Adding new Smoothwall Firewall rules.

Proxies will typically attempt to connect to their servers on port 80 or 443. If this fails, then some applications have the ability to use other ports. The following details ports predominately used by proxy bypass software:

Proxy

Ports

Additional Notes

Last Checked

Betternet

1194, 5228, 7268, 9110

Will attempt to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only

20th June 2019

CyberGhost

8078

20th June 2019

F-Secure Freedome VPN

500, 2744

31st January 2018

Freegate

1024 - 65535

March 2017

freevpn.og

8010

Will attempt to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only

20th June 2019

GPass

1024-65535

January 2017

Hexatech

5228, 9110

20th June 2019

Hideman VPN

500, 995

31st January 2018

HotSpot Shield

105, 179, 465, 990, 1024-65535

Will attempt to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only

20th June 2019

Kiwi VPN

1194

24th June 2019

Opera Free VPN

1194, 5353

Will attempt to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only

20th June 2019

PrivitizeVPN

1723

January 2017

Secure VPN

82, 115, 500, 910, 4500

24th June 2019

Security Kiss

123, 5000, 5353

20th June 2019

SetupVPN

3000

24th June 2019

Snap VPN

500

Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only.

24th June 2019

SpeedVPN

7, 1024-65535

20th June 2019

Spotflux

443

Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only.

January 2017

Surf VPN

9970-9979

24th June 2019

Thunder VPN

53, 81, 465, 802, 936

24th June 2019

Tor

1024-65535

Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only.

24th June 2019

TunnelBear

7011

20th June 2019

Turbo VPN

500

24th June 2019

VPN Monster

23, 25, 66, 110, 119

Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only.

24th June 2019

VPNGate

500, 992, 995, 1024-65535

Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only.

24th June 2019

VPN360

UDP 443, 500, 4000

24th June 2019

Yoga VPN

5000, 8000, 52000

Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only.

21st June 2019

Windscribe

UDP ports: 80, 443. TCP and UDP ports: 500, 1194, 4500, 5228, 54783

Attempts to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only.

21st June 2019

X-VPN

This proxy uses a range of different ports (including 21, 25 and 53), you will need to lock down your firewall and only open ports that are necessary

Attempts to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only.

26th June 2019

Blocking UltraSurf

UltraSurf is a proxy application installed locally on user's devices. Users then configure their browsers to point to the local proxy. The UltraSurf proxy sends outgoing traffic to HTTPS sites using IP addresses. This is still the case when UltraSurf sends out traffic directly to port 443 (HTTPS), or when UltraSurf is set to use an upstream proxy.

So, what can be done?

Block the installation and execution of the UltraSurf application using domain-wide security policies

Set proxy settings in a security policy so users cannot override them

These are basic recommendations when blocking UltraSurf traffic. Users may still get around security policies by using non-domain-managed devices, or those devices where the user themselves has administration rights.

Server Name Indication (SNI) adds to the HTTPS Transport Layer Security (TLS) handshake to indicate to the proxy which domain the traffic is destined for. SNI is used by the Guardian web filter when transparently intercepting HTTPS traffic.

Additional actions for the Guardian web filter:

It is recommended you create a transparent web proxy authentication policy which blocks HTTPS traffic that does not present an SNI header. See our help topic, Creating authentication policies.

Note: The two options, shown above, may also block legitimate applications from working if they use the same type of traffic as UltraSurf, such as, some cloud-based services. Without SNI information, Guardian is unable to easily differentiate between UltraSurf and non-UltraSurf traffic using any parameters other than destination IP addresses.